Well, I hope the audit happens. Part of the whole open source cryptography thing is that people can readily audit and monitor the code for bugs and vulnerabilities. And considering the program is meant to keep things safe and secret, all more reason to get it audited.

Plus, I'm curious to see if anything does pop up. If the only seriously viable tool for encrypting data turns out to be full of holes (or have just enough), then shit...

It's kind of troubling to think about the amount of time/money required to do a full security audit. If there was a widespread effort to tamper with large amounts of open source software, do the resources exist to detect that tampering?

How complex is an app like truecrypt compared to firefox? If a exploit could be hidden in truecrypt, how much easier would it be to hide in firefox?

I always thought the anonymity behind the whole thing was a bit of a concern and troubling. Especially in this day and age with a program as widely used as this one.

I learned about it a while back on the blog of a guy who was suspicious of it. He could be called a conspiracy theorist I guess but it actually looked a bit credible. Although I didn't really want to believe it at the time, they kinda make a good case.

I always thought the anonymity behind the whole thing was a bit of a concern and troubling. Especially in this day and age with a program as widely used as this one.

I learned about it a while back on the blog of a guy who was suspicious of it. He could be called a conspiracy theorist I guess but it actually looked a bit credible. Although I didn't really want to believe it at the time, they kinda make a good case.

I'm all for this audit.

Until this audit is completed, I'm trading in my tin-foil hat for an IKEA colander.

Interesting, we encrypt every PC at my work with TrueCrypt. I simply assumed that it was a proven piece of software but to find that it's never been audited and that the authors are unknown is very interesting. We deal with PHI (personal health information) daily and have quite a bit of time and effort invested in security, it would be less than funny to find out that TrueCrypt has a huge backdoor.

Seriously nobody knows who created the software? That is very intriguing when you think about all the possibilities. Kind of surprising that it's so heavily used, since the origin is unknown.

I wrote it. It's legit. No need to audit anything.

It seems like almost everything in life must be audited and subjected to critical review. Deciding what to accept and what to reject requires effort. I'm glad that capable people are interested in auditing software.

Its not that people have doubts about the software (at least, none that are well-founded that I know of). It's just that its way, way past due for people who know what they're looking for to make sure that the software is as secure as people believe.

RE your question, I don't know of any security issues with Keepass. The data is encrypted server side and they use AES so it's going to be immune to the average script kiddie. The security it provides in allowing you to manage multiple good unique passwords for your online life is worth the very small risk that comes with the usage of software like Keepass.

I actually think the fact that it is/was anonymously developed and open source makes it more likely to be secure. If it were developed by a for-profit company based in the US, it would be certain to have a built-in weakness or backdoor.

Haha, just read the audit report. Anyone with the background can audit the report fairly quickly.

It's not like Truecrypt has never been audited. Previous versions of the Linux source have been fully audited. Previous versions of Windows have been audited, to lesser extent. The license, which is admittedly... kind of odd... has never been audited that I am aware of. I'm unsure of the implications of it. Nor has the current version (publicly, again that I'm aware of). Previous audits have revealed bugs, that have been patched by the maintainers.

The one bit that struck me as interesting is the indication that nobody knows who made it. I know the maintainers are an NPO (The Truecrypt Foundation) and I had assumed that they created the software. Then again, no one really knows who made the bitcoin protocol either, so I guess important software being made by anonymous programmers is not unheard of.

I'm really curious about the results of the audit. I based my decisions about TC on the audit of 7.0, but I'm using the current release, so really it's "who knows" until this audit is completed.

On the other hand, I'm almost positive Bitlocker has a Microsoft backdoor hidden within the structure of the recovery keys. So take from that what you will. TC also does not use TPM chips, unlike Bitlocker, nd TC states they consider TPM security theatre. I'm not sure either way on that one. They're obviously very serious about cryptography, whomever they are.

I actually think the fact that it is/was anonymously developed and open source makes it more likely to be secure. If it were developed by a for-profit company based in the US, it would be certain to have a built-in weakness or backdoor.

Just because something is open source and can be read by anyone, doesn't mean that anyone has actually read it. There have been serious security bugs found in several open source programs that were there for years until finally noticed. You'll probably remember several examples reported on here.

Building unsecured systems, going forwards from here, is like thinking we can build apartment buildings and businesses, but make the door locks optional and leave them off by default, and buy them later if we feel the need to bother. It's preposterous really. The era is dawning that NOBODY should trust anybody, and real bulletproof security methods and practices need to become the minimum standard baseline of what computers do for us, and how we use them.

The basic functionality of Truecrypt needs to be fully rolled into all file systems code by default, it shouldn't be an extra piece of software. That way, Linux / BSD / etc. would come straight out of the box with full blown TC-like encryption and containering abilities. That would help alleviate the issue of code auditing a separate and complex package, since full and proper security would be a basic part of the workload of the OS community. If that seems like extra work, I think we've been naive and slacking off so far to NOT do it.

Seriously nobody knows who created the software? That is very intriguing when you think about all the possibilities. Kind of surprising that it's so heavily used, since the origin is unknown.

I had no idea. I find this little fact (is it a fact?) to be extremely interesting.

Ditto. I'd like to hear more about this possible-fact.

As would I. Actually, I'd really like to see a rundown on the different methods of securing your data and messages, not just on TrueCrypt. What should I know about besides TrueCrypt and PGP?

For storage, that's about it. There are platform-specific tools (dm-crypt on linux), and there are other libraries/tools to use (openssl has a lot of utilities builtin to its tools), but none are as useful as truecrypt and pgp for general use.

For communication, OTR messaging is currently the best bet. In some ways, it's easier to secure than PGP email, since the keys are ephemeral, providing perfect forward secrecy.

In terms of the relevance to information and humanity, this seems to be a pretty good project to get behind. It seems to me that the EFF and/or Wikileaks (or similar) would want to advertise this, to help vet this once and for all.

Really though, if Google really wanted to build some goodwill, they'd supply the full $25K (and more) and just make it happen to show that they believe in privacy at the end-user level.

I can't believe that the paltry (compared to their revenue) amount this would cost would not be worth the goodwill they'd receive from having an independent auditor dive into TrueCrypt.

In any case, donating my money now.... I just wish there were 1 official source instead of fundfill and indegogo. I'd rather indegogo because I'm more familiar with it, but since fundfill retweeted one of Cyrus's tweets, I'm going to go with that one instead.

Finally. My issues with TC have always been the anonymous developers, it was closed source, and once it was open sourced, there had never been an audit by competent experts. These things together made me suspicious. If there's an audit, the anonymity becomes a nonissue to me.

As would I. Actually, I'd really like to see a rundown on the different methods of securing your data and messages, not just on TrueCrypt. What should I know about besides TrueCrypt and PGP?

7-zip (7-zip.org) is open-source and lets you create archives with AES-256 encryption, but it hasn't been audited either.

Yes but it's encryption capabilities are sort of an on-the-side feature. Not sure many people looking at 7-zip think "the encryption built into this is bulletproof" but Truecrypt is an app specifically for encryption. You'd be hoping it's been audited to some level.

Just because something is open source and can be read by anyone, doesn't mean that anyone has actually read it. There have been serious security bugs found in several open source programs that were there for years until finally noticed. You'll probably remember several examples reported on here.

The first to spring to mind is Sendmail. It shipped as part of a lot of linux distros for years yet nobody ever looked over the code.